<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.0.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">
  <meta name="baidu-site-verification" content="G1hRwH33Kv">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.14.0/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css">

<script class="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"dockerlin666.gitee.com","root":"/","scheme":"Muse","version":"8.0.0-rc.5","exturl":false,"sidebar":{"position":"left","display":"always","padding":18,"offset":12},"copycode":false,"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":"changyan","storage":true,"lazyload":false,"nav":null,"activeClass":"changyan"},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false};
  </script>

  <meta name="description" content="介绍OpenSSL是一个健壮的、商业级的、功能齐全的开源工具包，用于传输层安全(TLS)协议，以前称为安全套接字层(Secure Sockets Layer, SSL)协议。协议实现基于全强度通用密码库，也可以单独使用。openssl是一个功能丰富且自包含的开源安全工具箱。它提供的主要功能有：SSL协议实现(包括SSLv2、SSLv3和TLSv1)、大量软算法(对称&#x2F;非对称&#x2F;摘要)、大数运算、非对">
<meta property="og:type" content="article">
<meta property="og:title" content="linux-openssl">
<meta property="og:url" content="http://dockerlin666.gitee.com/2020/09/16/linux-openssl/index.html">
<meta property="og:site_name" content="阳光灿烂的日志">
<meta property="og:description" content="介绍OpenSSL是一个健壮的、商业级的、功能齐全的开源工具包，用于传输层安全(TLS)协议，以前称为安全套接字层(Secure Sockets Layer, SSL)协议。协议实现基于全强度通用密码库，也可以单独使用。openssl是一个功能丰富且自包含的开源安全工具箱。它提供的主要功能有：SSL协议实现(包括SSLv2、SSLv3和TLSv1)、大量软算法(对称&#x2F;非对称&#x2F;摘要)、大数运算、非对">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2020-09-16T03:02:15.000Z">
<meta property="article:modified_time" content="2020-09-23T07:44:45.913Z">
<meta property="article:author" content="刀客林">
<meta property="article:tag" content="shell">
<meta property="article:tag" content="linux">
<meta property="article:tag" content="openssl">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="http://dockerlin666.gitee.com/2020/09/16/linux-openssl/">


<script class="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>linux-openssl | 阳光灿烂的日志</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?f59280177ba9fcb78a3c938de71308e3";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  body { margin-top: 2rem; }

  .use-motion .menu-item,
  .use-motion .sidebar,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header {
    visibility: visible;
  }

  .use-motion .header,
  .use-motion .site-brand-container .toggle,
  .use-motion .footer { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle,
  .use-motion .custom-logo-image {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line {
    transform: scaleX(1);
  }

  .search-pop-overlay, .sidebar-nav { display: none; }
  .sidebar-panel { display: block; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <main class="main">
      <header class="header" itemscope itemtype="http://schema.org/WPHeader">
        <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">
      <img class="custom-logo-image" src="/uploads/logo400.png" alt="阳光灿烂的日志">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <h1 class="site-title">阳光灿烂的日志</h1>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">oh,my god</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
        <li class="menu-item menu-item-commonweal">

    <a href="/404/" rel="section"><i class="fa fa-heartbeat fa-fw"></i>公益 404</a>

  </li>
  </ul>
</nav>




</div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>

  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <section class="post-toc-wrap sidebar-panel">
          <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BB%8B%E7%BB%8D"><span class="nav-number">1.</span> <span class="nav-text">介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AE%97%E6%B3%95%E7%AE%80%E4%BB%8B"><span class="nav-number">2.</span> <span class="nav-text">算法简介</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%91%BD%E4%BB%A4%E8%AF%A6%E8%A7%A3"><span class="nav-number">3.</span> <span class="nav-text">命令详解</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#help"><span class="nav-number">3.1.</span> <span class="nav-text">help</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%A0%87%E5%87%86%E5%91%BD%E4%BB%A4%EF%BC%88Standard-commands%EF%BC%89"><span class="nav-number">3.2.</span> <span class="nav-text">标准命令（Standard commands）</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%91%98%E8%A6%81%E7%AE%97%E6%B3%95%E5%91%BD%E4%BB%A4%EF%BC%88Message-Digest-commands%EF%BC%89"><span class="nav-number">3.3.</span> <span class="nav-text">摘要算法命令（Message Digest commands）</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%8A%A0%E8%A7%A3%E5%AF%86%E5%91%BD%E4%BB%A4%EF%BC%88Cipher-commands%EF%BC%89"><span class="nav-number">3.4.</span> <span class="nav-text">加解密命令（Cipher commands）</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%B8%B8%E7%94%A8%E5%91%BD%E4%BB%A4%E6%80%BB%E7%BB%93"><span class="nav-number">3.5.</span> <span class="nav-text">常用命令总结</span></a></li></ol></li></ol></div>
      </section>
      <!--/noindex-->

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="刀客林"
      src="/uploads/avatar.jpg">
  <p class="site-author-name" itemprop="name">刀客林</p>
  <div class="site-description" itemprop="description">记录无聊的生活，要不然都忘记了！</div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">6</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">4</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">11</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



      </section>
    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </header>

      
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>

<noscript>
  <div id="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


      <div class="main-inner">
        

        <div class="content post posts-expand">
          

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://dockerlin666.gitee.com/2020/09/16/linux-openssl/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/uploads/avatar.jpg">
      <meta itemprop="name" content="刀客林">
      <meta itemprop="description" content="记录无聊的生活，要不然都忘记了！">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="阳光灿烂的日志">
    </span>

    
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          linux-openssl
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-09-16 11:02:15" itemprop="dateCreated datePublished" datetime="2020-09-16T11:02:15+08:00">2020-09-16</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-09-23 15:44:45" itemprop="dateModified" datetime="2020-09-23T15:44:45+08:00">2020-09-23</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E5%AD%A6%E4%B9%A0/" itemprop="url" rel="index"><span itemprop="name">学习</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E5%AD%A6%E4%B9%A0/shell/" itemprop="url" rel="index"><span itemprop="name">shell</span></a>
                </span>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="far fa-comment"></i>
      </span>
      <span class="post-meta-item-text">Changyan：</span>
    
    
      <a title="changyan" href="/2020/09/16/linux-openssl/#SOHUCS" itemprop="discussionUrl">
        <span id="changyan_count_unit" class="post-comments-count hc-comment-count" data-xid="2020/09/16/linux-openssl/" itemprop="commentCount"></span>
      </a>
    
  </span>
  
  <br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>8.8k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>8 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h2><div class="note info"><p><strong>OpenSSL是一个健壮的、商业级的、功能齐全的开源工具包，用于传输层安全(TLS)协议，以前称为安全套接字层(Secure Sockets Layer, SSL)协议。协议实现基于全强度通用密码库，也可以单独使用。</strong><br><strong>openssl是一个功能丰富且自包含的开源安全工具箱。它提供的主要功能有：SSL协议实现(包括SSLv2、SSLv3和TLSv1)、大量软算法(对称/非对称/摘要)、大数运算、非对称算法密钥生成、ASN.1编解码库、证书请求(PKCS10)编解码、数字证书编解码、CRL编解码、OCSP协议、数字证书验证、PKCS7标准实现和PKCS12个人数字证书格式实现等功能。</strong><br><a target="_blank" rel="noopener" href="https://github.com/openssl/openssl"><span style="color:red;">项目地址</span></a> <a target="_blank" rel="noopener" href="https://www.openssl.org/"><span style="color:red;">官方网址</span></a> <a target="_blank" rel="noopener" href="https://www.openssl.net.cn/"><span style="color:red;">手册</span></a></p>
</div>

<a id="more"></a>

<h2 id="算法简介"><a href="#算法简介" class="headerlink" title="算法简介"></a>算法简介</h2><div class="tabs" id="configtab"><ul class="nav-tabs"><li class="tab active"><a href="#configtab-1"><i class="fa fa-bell"></i>对称算法</a></li><li class="tab"><a href="#configtab-2"><i class="fa fa-file"></i>摘要算法</a></li><li class="tab"><a href="#configtab-3"><i class="fa fa-file"></i>公钥算法</a></li><li class="tab"><a href="#configtab-4"><i class="fa fa-file"></i>回调函数</a></li></ul><div class="tab-content"><div class="tab-pane active" id="configtab-1"><pre><code>对称算法使用一个密钥。给定一个明文和一个密钥，加密产生密文，其长度和明文大致相同。解密时，使用读密钥与加密密钥相同。
ECB\CBC\CFB\OFB</code></pre></div><div class="tab-pane" id="configtab-2"><pre><code>摘要算法是一种能产生特殊输出格式的算法，这种算法的特点是：无论用户输入什么长度的原始数据，经过计算后输出的密文都是固定长度的，这种算法的原理是根据一定的运算规则对原数据进行某种形式的提取，这种提取就是摘要，被摘要的数据内容与原数据有密切联系，只要原数据稍有改变，输出的“摘要”便完全不同，因此，基于这种原理的算法便能对数据完整性提供较为健全的保障。但是，由于输出的密文是提取原数据经过处理的定长值，所以它已经不能还原为原数据，即消息摘要算法是不可逆的，理论上无法通过反向运算取得原数据内容，因此它通常只能被用来做数据完整性验证。
如今常用的“消息摘要”算法经历了多年验证发展而保留下来的算法已经不多，这其中包括MD2、MD4、MD5、SHA、SHA-1/256/383/512等。
常用的摘要算法主要有MD5和SHA1。MD5的输出结果为16字节，sha1的输出结果为20字节。</code></pre></div><div class="tab-pane" id="configtab-3"><pre><code>在公钥密码系统中，加密和解密使用的是不同的密钥，这两个密钥之间存在着相互依存关系：即用其中任一个密钥加密的信息只能用另一个密钥进行解密。这使得通信双方无需事先交换密钥就可进行保密通信。其中加密密钥和算法是对外公开的，人人都可以通过这个密钥加密文件然后发给收信者，这个加密密钥又称为公钥；而收信者收到加密文件后,它可以使用他的解密密钥解密，这个密钥是由他自己私人掌管的，并不需要分发，因此又成称为私钥，这就解决了密钥分发的问题。
主要的公钥算法有：RSA、DSA、DH和ECC。</code></pre></div><div class="tab-pane" id="configtab-4"><pre><code>Openssl中大量用到了回调函数。回调函数一般定义在数据结构中，是一个函数指针。通过回调函数，客户可以自行编写函数，让openssl函数来调用它，即用户调用openssl提供的函数，openssl函数再回调用户提供的函数。这样方便了用户对openssl函数操作的控制。在openssl实现函数中，它一般会实现一个默认的函数来进行处理，如果用户不设置回调函数，则采用它默认的函数。</code></pre></div></div></div>

<h2 id="命令详解"><a href="#命令详解" class="headerlink" title="命令详解"></a>命令详解</h2><h3 id="help"><a href="#help" class="headerlink" title="help"></a>help</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">$ openssl help （所有命令帮助）</span><br><span class="line">.....</span><br><span class="line">$ openssl help dgst (列出命令dgst帮助)</span><br><span class="line">.....</span><br><span class="line">$ openssl help list (列出命令list帮助) 等同于 openssl list -help</span><br><span class="line">.....</span><br></pre></td></tr></table></figure>

<h3 id="标准命令（Standard-commands）"><a href="#标准命令（Standard-commands）" class="headerlink" title="标准命令（Standard commands）"></a>标准命令（Standard commands）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ openssl list -commands （列出标准命令）</span><br><span class="line">......</span><br></pre></td></tr></table></figure>

<ul>
<li>asn1parse<br>  asn1parse是一个有效的诊断工具，可以解析ASN.1结构。也可用来从ASN.1格式的数据中提取数据。</li>
<li>ca<br>  ca是一个极小的CA应用程序。它可被用于签名各种证书请求及生成CRLs，它也包含了一个文本数据库，其中记录了已经发布的证书以及这些证书的状态。</li>
<li>ciphers<br>  显示支持的加密套件。</li>
<li>cms<br>  该命令处理S/MIME v3.1邮件。可以用它对S/MIME消息进行加密、解密、签名、验证签名、压缩以及解压缩等操作。</li>
<li>crl<br>  crl命令用于处里PME或DER格式的CRL文件（证书吊销列表 (Certificate Revocation List ，简称： CRL) 是 PKI 系统中的一个结构化数据文件）</li>
<li>crl2pkcs7<br>  本命令根据CRL或证书来生成pkcs#7消息。</li>
<li>dgst<br>  dgst用于数据摘要。</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">echo -n &quot;123456&quot; | openssl dgst -md5  # 输出md5值</span><br><span class="line">echo -n &quot;123456&quot; | openssl dgst -sha1 # 输出sha1值</span><br><span class="line">echo -n &#39;123456&#39; &gt; a.txt</span><br><span class="line">openssl dgst -md5 a.txt # 输出文件md5值与上例相同</span><br></pre></td></tr></table></figure>

<ul>
<li>dhparam<br>  生成和管理Diffie-Hellman参数。被genpkey和pkeyparam取代</li>
<li>dsa<br>  DSA数据管理。处理DSA密钥、格式转换和打印信息，用于数字签名</li>
<li>dsaparam<br>  DSA参数生成与管理。用于生成和操作dsa证书参数，用于数字签名，被genpkey和pkeyparam取代</li>
<li>ec<br>  EC（椭圆曲线）密钥处理，用于数字签名和加密</li>
<li>ecparam<br>  EC参数的操作和生成，产生ECC密钥对。用于数字签名和加密</li>
<li>enc<br>  加密和解密<br>  对称加密算法工具。它能够运用块或者流算法对数据加/解密。还能够把加密/接密,还可以把结果进行base64编码。</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openssl enc -des3 -e -in a.txt -out b.txt</span><br></pre></td></tr></table></figure>

<ul>
<li><p>engine<br>  引擎（loadble模块）信息和操纵。</p>
</li>
<li><p>errstr<br>  本命令用于查询错误代码。</p>
</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openssl errstr 02001002</span><br></pre></td></tr></table></figure>

<ul>
<li>gendsa<br>  gendsa根据DSA密钥参数生成DSA密钥，dsa密钥参数可用dsaparam命令生成。</li>
<li>genpkey<br>  生成私钥或参数。<br>  鼓励使用genpkey，因为可以使用额外的算法选项和ENGINE提供的算法。</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"># 生成RSA私钥</span><br><span class="line">$openssl genpkey -out rsa_pri.key -outform PEM -pass pass:123456  -aes-128-cbc \</span><br><span class="line"> -algorithm RSA -pkeyopt rsa_keygen_bits:1024  -text</span><br><span class="line"># 这种方式生成的RSA私钥 不仅代用 私钥和大数，还代用公钥，以及其它信息，以用于快速计算。</span><br></pre></td></tr></table></figure>

<ul>
<li>genrsa<br>  生成RSA密钥。</li>
<li>help<br>  帮助</li>
<li>list<br>  列出命令</li>
<li>nseq<br>  创建或检查netscape证书序列，多证书与netscape证书序列间相互转化</li>
<li>ocsp<br>  在线证书状态协议实用程序。</li>
<li>passwd<br>  生成散列密码。生成各种口令密文</li>
<li>pkcs12<br>  PKCS12数据管理。工具，用于生成和分析pkcs12文件</li>
<li>pkcs7<br>  PKCS7加密消息语法，各种消息存放的格式标准；用于处理DER或者PEM格式的pkcs7文件</li>
<li>pkcs8<br>  私钥转换工具，pkcs8格式</li>
<li>pkey<br>  pkey命令处理公钥或私钥。它们可以在各种形式之间进行转换，并将其结构打印出来。</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;由私钥生成公钥</span><br><span class="line">$openssl pkey  -in rsa_pri.key -inform PEM -passin pass:123456 -out rsa_pub.key -outform PEM     -pubout -text</span><br><span class="line">&#x2F;&#x2F;私钥改密码</span><br><span class="line">$openssl pkey  -in rsa_pri.key -inform PEM -passin pass:123456 -out rsa_change.key -outform PEM -passout pass:456789 -des-cbc  -text</span><br><span class="line">&#x2F;&#x2F;改变公钥格式</span><br><span class="line">$openssl pkey  -in rsa_pub.key -inform PEM -out rsa_pub_der.key -outform DER -pubin -pubout -text</span><br></pre></td></tr></table></figure>

<ul>
<li><p>pkeyparam</p>
<ul>
<li>该命令没有-inform或-outform选项，因为仅支持PEM格式，因为密钥类型由PEM头决定。</li>
</ul>
</li>
<li><p>pkeyutl<br>  公钥算法加密操作实用程序。pkeyutl命令可用于执行支持的公钥操作.</p>
</li>
<li><p>prime<br>  检查一个数是否是素数</p>
</li>
<li><p>rand<br>  生成伪随机字节。</p>
</li>
<li><p>rehash<br>  为文件创建一个符号连接，并将此符号连接的名称设为文件的hash值，作用是让openssl在证书目录中能够找到证书</p>
</li>
<li><p>req<br>  PKCS10 X.509证书签名请求（CSR）管理。<br>  req命令主要创建证书请求（可以新生成私钥），查看证书请求。它可以创建自签名证书，以作为root CA使用。但不能读取证书</p>
</li>
<li><p>rsa<br>  RSA密钥管理。处理RSA密钥、格式转换和打印信息</p>
</li>
<li><p>rsautl<br>  RSA实用程序用于签名，验证，加密和解密。取而代之的是pkeyutl</p>
</li>
<li><p>s_client<br>  这将实现一个通用SSL / TLS客户端，可以建立与远程服务器的SSL / TLS透明连接。</p>
</li>
<li><p>s_server<br>  这实现了一个通用SSL / TLS服务器，它接受来自远程客户端的SSL / TLS连接。</p>
</li>
<li><p>s_time<br>  SSL连接定时器。提供的SSL/TLS性能测试工具，测试服务</p>
</li>
<li><p>sess_id<br>  SSL会话数据管理。SSL/TLS协议的session处理工具</p>
</li>
<li><p>smime<br>  S / MIME邮件处理。处理S/MIME邮件，加密、解密、签名和验证</p>
</li>
<li><p>speed<br>  算法速度测量。，调整测试库的性能</p>
</li>
<li><p>spkac<br>  SPKAC打印和生成实用程序</p>
</li>
<li><p>srp<br>  secure remote password SRP协议</p>
</li>
<li><p>storeutl<br>  这个命令可用于显示从给定uri中获取的内容(根据具体情况在解密之后)。</p>
</li>
<li><p>ts<br>  时间戳机构工具（客户端/服务器）</p>
</li>
<li><p>verify<br>  X.509证书验证。</p>
</li>
<li><p>version<br>  openssl version</p>
</li>
<li><p>x509<br>  X.509证书管理。显示证书信息、转换证书格式、签名证书请求及改变证书信任设置,X.509是ITU-T标准化部门基于他们之前的ASN.1定义的一套证书标准。</p>
</li>
</ul>
<h3 id="摘要算法命令（Message-Digest-commands）"><a href="#摘要算法命令（Message-Digest-commands）" class="headerlink" title="摘要算法命令（Message Digest commands）"></a>摘要算法命令（Message Digest commands）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ openssl list -digest-commands （列出摘要命令）</span><br><span class="line">......</span><br><span class="line">$ openssl list -digest-algorithms (列出摘要算法)</span><br><span class="line">......</span><br></pre></td></tr></table></figure>

<ul>
<li>所有新应用程序的选择的摘要算法是SHA1。 然而其他摘要算法仍然被广泛使用。</li>
<li>在签名时，dgst将根据私钥的ASN.1信息自动确定用于签名的算法（RSA，ECC等）。当验证签名时，它只处理RSA，DSA或ECDSA签名本身，而不是分析相关数据来识别签名者和相关算法，如x.509，CMS和S / MIME的签名者和算法。</li>
<li>某些签名算法，特别是ECDSA和DSA需要一个随机数源。</li>
<li>仅当单个文件要签名或验证时，才能使用签名和验证选项</li>
<li>十六进制签名无法使用openssl进行验证。使用“xxd -r”或类似程序在验证之前将十六进制签名转换为二进制签名。</li>
</ul>
<h3 id="加解密命令（Cipher-commands）"><a href="#加解密命令（Cipher-commands）" class="headerlink" title="加解密命令（Cipher commands）"></a>加解密命令（Cipher commands）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ openssl list -cipher-commands （列出加解密命令）</span><br><span class="line">......</span><br><span class="line">$ openssl list -cipher-algorithms (列出加解密算法)</span><br><span class="line">......</span><br></pre></td></tr></table></figure>

<ul>
<li>该程序可以通过openssl ciphername或者openssl enc -ciphername 两种方式调用，但是前一种不支持引擎加密.</li>
<li>应在配置文件中配置提供全新加密算法的引擎（如提供gost89算法的ccgost引擎）。在命令行中使用-engine选项指定的引擎只能用于由配置文件中指定的OpenSSL内核或其他引擎支持的密码的硬件辅助实现</li>
<li>当enc命令列出支持的加密算法时，也列出了配置文件中指定的引擎提供的算法。</li>
<li>如果需要，将提示输入密钥以获得密钥。</li>
<li>如果从密码派生密钥，则应使用-salt选项，除非您希望与以前版本的OpenSSL和SSLeay兼容。没有-salt选项，可以对密码执行有效的字典攻击，并攻击流密码加密数据。原因是没有slat，相同的密码总是生成相同的加密密钥。当slat被使用时，加密数据的前八个字节被保留给盐：它在加密文件时被随机生成，并且在被解密时从加密文件读取。</li>
<li>一些密码没有大的密钥，如果不正确使用，会带来安全隐患。建议初学者在CBC模式下使用强分组密码，如bf或des3。</li>
<li>所有块密码通常使用PKCS＃5填充也称为标准块填充：这允许执行基本的完整性或密码检查。然而，由于随机数据通过测试的机会优于256中的1，这不是一个非常好的测试。</li>
<li>如果禁止填充，则输入数据必须是密码块长度的倍数。</li>
<li>所有RC2密码具有相同的密钥和有效的密钥长度。</li>
<li>Blowfish和RC5算法使用128位密钥。</li>
</ul>
<h3 id="常用命令总结"><a href="#常用命令总结" class="headerlink" title="常用命令总结"></a>常用命令总结</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"># 生成100位随机数，使用base64编码输出</span><br><span class="line">openssl rand -base64 100</span><br><span class="line"># 输出到文件myr.dat</span><br><span class="line">openssl rand –base64 –out myr.dat 100</span><br><span class="line"># 16进制方式输出</span><br><span class="line">openssl rand -hex 10</span><br><span class="line"></span><br><span class="line"># 生成md5摘要</span><br><span class="line">echo -n 123456 | openssl dgst -md5 | awk &#39;&#123;printf(&quot;%s&quot;,md5)&#125;&#39;</span><br><span class="line"># 生成sha1摘要</span><br><span class="line">echo -n 123456 | openssl dgst -sha1 | awk &#39;&#123;printf(&quot;%s&quot;,sha1)&#125;&#39;</span><br><span class="line"></span><br><span class="line"># 对称加密</span><br><span class="line"># 生成16进制加密字符串</span><br><span class="line">echo -n &quot;我们是害虫，正义的来福灵快来把我杀死！&quot;|openssl enc -e -aes-128-ecb -K 226a89e66d0dcc79c9673150fa176001 | od -tx1 | awk &#39;&#123;for(i&#x3D;2;i&lt;&#x3D;NF;i++)&#123;printf(&quot;%s&quot;,);&#125;&#125;&#39;</span><br><span class="line"># 解密16进制加密字符串</span><br><span class="line">echo -n &quot;6556492b1fbfd723fb2af8dc32fa0b2105007adde27f96d257abc45b9a1ddaee9fa8999029e756cfd1cabf24c941ab7ce6925f1ff7a7123db9921f9d596625a7&quot;| sed &#39;s&#x2F;\(..\)&#x2F;\\\\x\1&#x2F;g&#39; | xargs echo -e -n | openssl enc -d -aes-128-ecb -K 226a89e66d0dcc79c9673150fa176001</span><br><span class="line"></span><br><span class="line"># 生成base64编码加密字符串</span><br><span class="line">echo -n &quot;我们是害虫，正义的来福灵快来把我杀死！&quot;|openssl enc -e -aes-128-ecb -K 226a89e66d0dcc79c9673150fa176001 -a -A</span><br><span class="line"># 解密base64字符串</span><br><span class="line">echo -n &quot;ZVZJKx+&#x2F;1yP7KvjcMvoLIQUAet3if5bSV6vEW5od2u6fqJmQKedWz9HKvyTJQat85pJfH&#x2F;enEj25kh+dWWYlpw&#x3D;&#x3D;&quot;|openssl enc -d -aes-128-ecb -K 226a89e66d0dcc79c9673150fa176001 -a -A</span><br><span class="line"></span><br><span class="line"># 以上aes-128-ecb为加解密算法，-K参数表示加密秘钥，加密和解密方需妥善保存</span><br><span class="line"></span><br><span class="line"># 非对称，使用公钥加密，私钥解密</span><br><span class="line"># 生成私钥</span><br><span class="line">openssl genpkey -out cxl_rsa_pri.key -outform PEM -pass pass:whyme -aes-128-cbc -algorithm RSA -pkeyopt rsa_keygen_bits:1024  -text</span><br><span class="line"># 用私钥生成公钥</span><br><span class="line">openssl pkey -in cxl_rsa_pri.key  -inform PEM -passin pass:whyme -out cxl_rsa_pub.key -outform PEM -pubout -text</span><br><span class="line"># 用公钥加密，输出base64编码</span><br><span class="line">echo -n &#39;123456&#39; | openssl pkeyutl -encrypt -inkey cxl_rsa_pub.key  -keyform PEM -pubin | base64 -w0</span><br><span class="line"># 用私钥解密</span><br><span class="line">echo -n &#39;QmjiDoh&#x2F;j+dtdxuZ0BUlrRTHbZFCzb43ZnM+cbpT93JnRQa64MrTLrAj50O1EM&#x2F;voM9KPgvQfuiIhQbwKdeDXV66ZmlbsXfhc0PW2xMDCqJaR77E2N8yyAFWx4Z698zCqWx86svgscpQp62dwX&#x2F;9P0+e1za2lbFCe8h0wv2ZQcE&#x3D;&#39; | base64 -d | openssl pkeyutl -decrypt -inkey cxl_rsa_pri.key -passin pass:whyme </span><br><span class="line"># 由用户侧传过来的数据都是加密后的数据，没有私钥无法查看原始数据</span><br><span class="line"># 使用私钥签名</span><br><span class="line">echo -n &#39;123456&#39; | openssl pkeyutl -sign -inkey cxl_rsa_pri.key  -keyform PEM -passin pass:whyme | base64 -w0</span><br><span class="line"># 使用公钥验证签名</span><br><span class="line">echo -n &#39;123456&#39; &gt; data.txt</span><br><span class="line">echo -n &#39;DPBPRL&#x2F;DTmR8llgjF16U1NDtZTgLLYBaqq2IP&#x2F;wwWilEbJDpKCVb7mx82EwtSi6GAisx4TzL9U&#x2F;O6bpyJeVFrCMhLkKo3Lhs2hzQMBKi42CcsTHcEiCH6o6eOI+1ZpfdDXDFz7&#x2F;IdQJdek0oXx6cZPuWlWqiq2bEmZK2T9zbFBE&#x3D;&#39; | base64 -d &gt; sig</span><br><span class="line">openssl pkeyutl  -verify -inkey cxl_rsa_pub.key -keyform PEM -pubin -in data.txt -sigfile sig</span><br><span class="line"># 服务器发给客户端的数据由客户端验证签名，保证数据没有篡改过</span><br><span class="line"></span><br><span class="line"># 证书</span><br><span class="line">openssl version -a </span><br><span class="line">#查看版本和配置文件位置,生成证书可以使用配置文件中的相关配置,本例中不使用这种方式，各位可以研究一下</span><br><span class="line">-nodes  :如果指定-newkey自动生成秘钥，那么-nodes选项说明生成的秘钥不需要加密，即不需要输入passphase.   </span><br><span class="line">-batch  :指定非交互模式，直接读取config文件配置参数，或者使用默认参数值    </span><br><span class="line"></span><br><span class="line"># 生成证书，可以在生成证书的时候生成私钥，也可以指定私钥文件生成证书，如果都不指定，会自动生成私钥文件</span><br><span class="line"></span><br><span class="line"># 生成自签名证书，证书名cxl-req.crt，不指定私钥，私钥名为配置文件中名称或缺省privkey.pem</span><br><span class="line">openssl req -x509 -newkey rsa:1024 -out cxl-req.crt</span><br><span class="line"># 指定私钥密码</span><br><span class="line">openssl req -x509 -newkey rsa:1024 -out cxl-req.crt -passout pass:123456</span><br><span class="line"># 指定证书参数</span><br><span class="line">openssl req -x509 -newkey rsa:1024 -out cxl-req.crt -passout pass:123456 -subj &#x2F;C&#x3D;CN&#x2F;ST&#x3D;北京市&#x2F;L&#x3D;城市名&#x2F;OU&#x3D;组织名&#x2F;O&#x3D;公司名&#x2F;CN&#x3D;whatthis&#x2F;emailAddress&#x3D;test@company.com</span><br><span class="line"># 查看证书内容</span><br><span class="line">openssl x509 -in cxl-req.crt -noout -text</span><br><span class="line">openssl x509 -in cxl-req.crt -noout -subject</span><br><span class="line">openssl x509 -in cxl-req.crt -noout -pubkey</span><br><span class="line"># 指定私钥名称 cxl-req-pri.pem</span><br><span class="line">openssl req -x509 -newkey rsa:1024 -out cxl-req.crt -keyout cxl-req-pri.pem -outform PEM -passout pass:123456 -subj &#x2F;C&#x3D;CN&#x2F;ST&#x3D;provincename&#x2F;L&#x3D;cityname&#x2F;OU&#x3D;organizationname&#x2F;O&#x3D;companyname&#x2F;CN&#x3D;whatthis&#x2F;emailAddress&#x3D;test@company.com</span><br><span class="line"># 使用密钥生成证书</span><br><span class="line">openssl req -new -x509  -key cxl-req-pri.pem -outform PEM -passin pass:123456 -out cxl-req111.crt -subj &#x2F;C&#x3D;CN&#x2F;ST&#x3D;provincename&#x2F;L&#x3D;cityname&#x2F;OU&#x3D;organizationname&#x2F;O&#x3D;companyname&#x2F;CN&#x3D;whatthis&#x2F;emailAddress&#x3D;test@company.com</span><br><span class="line"># 查看证书 </span><br><span class="line">openssl x509 -in cxl-req111.crt -noout -text</span><br></pre></td></tr></table></figure>
    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/shell/" rel="tag"><i class="fa fa-tag"></i> shell</a>
              <a href="/tags/linux/" rel="tag"><i class="fa fa-tag"></i> linux</a>
              <a href="/tags/openssl/" rel="tag"><i class="fa fa-tag"></i> openssl</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2020/09/08/shell/" rel="prev" title="shell">
      <i class="fa fa-chevron-left"></i> shell
    </a></div>
      <div class="post-nav-item"></div>
    </div>
      </footer>
    
  </article>
  
  
  



        </div>
        
    
  <div class="comments">
    <div id="SOHUCS"></div>
  </div>
  

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        
  <div class="beian"><a href="http://www.beian.miit.gov.cn/" rel="noopener" target="_blank">京ICP备 测试1234567890号-1 </a>
      <img src="http://www.beian.gov.cn/img/new/gongan.png" style="display: inline-block;"><a href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=%E6%B5%8B%E8%AF%951234567890" rel="noopener" target="_blank">京公网安备 测试1234567890号 </a>
  </div>

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">刀客林</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
      <span class="post-meta-item-text">站点总字数：</span>
    <span title="站点总字数">41k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
      <span class="post-meta-item-text">站点阅读时长 &asymp;</span>
    <span title="站点阅读时长">37 分钟</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/muse/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="//cdn.jsdelivr.net/npm/animejs@3.2.0/lib/anime.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>


  
  <script>
    (function(){
      var bp = document.createElement('script');
      var curProtocol = window.location.protocol.split(':')[0];
      bp.src = (curProtocol === 'https') ? 'https://zz.bdstatic.com/linksubmit/push.js' : 'http://push.zhanzhang.baidu.com/push.js';
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(bp, s);
    })();
  </script>











<script>
document.querySelectorAll('.pdfobject-container').forEach(element => {
  let url = element.dataset.target;
  let pdfOpenParams = {
    navpanes : 0,
    toolbar  : 0,
    statusbar: 0,
    pagemode : 'thumbs',
    view     : 'FitH'
  };
  let pdfOpenFragment = '#' + Object.entries(pdfOpenParams).map(([key, value]) => `${key}=${encodeURIComponent(value)}`).join('&');
  let fullURL = `/lib/pdf/web/viewer.html?file=${encodeURIComponent(url)}${pdfOpenFragment}`;

  if (NexT.utils.supportsPDFs()) {
    element.innerHTML = `<embed class="pdfobject" src="${url + pdfOpenFragment}" type="application/pdf" style="height: ${element.dataset.height};">`;
  } else {
    element.innerHTML = `<iframe src="${fullURL}" style="height: ${element.dataset.height};" frameborder="0"></iframe>`;
  }
});
</script>


<script>
if (document.querySelectorAll('pre.mermaid').length) {
  NexT.utils.getScript('//cdn.jsdelivr.net/npm/mermaid@8.6.4/dist/mermaid.min.js', () => {
    mermaid.init({
      theme    : 'forest',
      logLevel : 3,
      flowchart: { curve     : 'linear' },
      gantt    : { axisFormat: '%m/%d/%Y' },
      sequence : { actorMargin: 50 }
    }, '.mermaid');
  }, window.mermaid);
}
</script>


  

  

  <script>
  NexT.utils.loadComments('#SOHUCS', () => {
    NexT.utils.getScript('https://changyan.sohu.com/upload/changyan.js', () => {
      window.changyan.api.config({
        appid: 'cyuYT0YXi',
        conf : '84caa3b92fd5f3996f4e117aad400242'
      });
    });
  });
  </script>
  <script src="https://assets.changyan.sohu.com/upload/plugins/plugins.count.js"></script>

</body>
</html>
